Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The economics of incidents, and creative ways to thwart future threats - SEP312 - AWS re:Inforce 2019

308 views

Published on

Walk through the threat landscape, looking at what has happened over the last year. Learn about the best tools to have in your architecture currently and in the future to help you detect and deal with the threats of this year and the next. Identify where these threats are coming from, and learn how to detect them more easily. The information in this session is provided by various teams and sources.

  • Looking For A Job? Positions available now. FT or PT. $10-$30/hr. No exp required. ♣♣♣ http://t.cn/AieXS5j0
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The economics of incidents, and creative ways to thwart future threats - SEP312 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The economics of incidents, and creative ways to thwart future threats S E P 3 1 2 Nathan Case Twitter: NathanC54227646 Linkedin: nathancase AWS Security Specialist Frans Rosén Twitter: fransrosen Linkedin: fransrosen Security Advisor
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Introductions Some basics: Looking backward to look forward Threats and change Awareness The future
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Nomore fear, uncertainty, and doubt (FUD) • This is a “tear off the bandage” talk • This talk focuses on the impacts of incidents • This talk focuses on the issues; blame doesn’t help • Tech is not the answer (humans always spill coffee) • Public shaming should have stopped in junior high school
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why? (Reason for this talk)
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security OF the cloud AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud Security IN the cloud Customer responsibility is determined by the AWS Cloud services that a customer selects Customer Shared responsibility model
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Region & number of AZs Announced Regions Bahrain, Hong Kong SAR, Sweden 3 3 3 3 3 6 2 3 3 3 3 2 233 3 3 42 1 The largest global footprint consistently built with a multi-Availability Zone (AZ) and multi-data center design AWS AZAWS Region A Region is a physical location in the world where we have multiple AZs AZs consist of one or more discrete data centers, each with redundant power, networking, and connectivity, and housed in separate facilities Transit AZ Data center Data center Data center Security OF the cloud Transit AZ AZ AZ Scale globally with resilience in every region
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Guiding principle Bad practice is bad practice in the cloud, the data center, or whatever comes next Security OF the cloud
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation If everything is critical, then nothing is If you have everything in one basket, everything shares a classification If you put all your risks in one segment, I will target that segment (If everything is bold…) Security IN the cloud
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Thecloud issafer Tooling/instrumentation Secure by default Eliminating human interaction/automation Security OF the cloud
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Parts Social mediaTransport Security IN the cloud Everything from a grilling app to a banking platform • Worst-case scenario of asset management • Data leakage where you least expect it • When out-of-scope is actually very much in-scope
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Secrets PII Collateral data ... Money Funds transfer Compute for mining Physical good ... Political Persona Cooperate identity Activist ... Personal Social Phishing Theft ... Understanding your critical assets from the attacker point of view Working backward from your customer (the hacker) Security IN the cloud
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Thenumberofvulnerabilities The increased number of vulnerabilities does not mean that it’s getting worse Lack of identified vulnerabilities is a bigger issue
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat modeling If you don't know your assets, you don't know what to protect and how to protect your assets, and you end up building a wall around everything Production TestingDevelopment
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Service IAM Amazon S3 buckets Billing ... Infrastructure VPC resources Connectivity On instance ... Application Patching Coding hole ... Incident response domains Understand your attack surface
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organization s AWSKMS AWS Directory Service Infrastructure domain Application domain Different domains Service domain
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Threats of today have changed, and they're all in it for the money…Well, sort of • Hacktivism vs. economically incentivized • The simplicity of anonymization
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Threats of today have changed, and they're all in it for the money…Well, sort of • Hacktivism vs. economically incentivized • The simplicity of anonymization I honestly wish bug bounties were a “thing” back in the days I would have been rich and avoided so much drama :) 18 Dec 2015
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Historical outlook of what worked and didn't Encounter Percentages for Windows systems over: 2013–2017
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. MicrosoftWindows malwareencounter ratetrend by category Encounter Percentages for Windows systems over: 2013–2017
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Malware, cryptomining, ransomware Reviewing the data, we see that a lot of malware encountered by Windows machines will be things that require human help to solve
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Internal threats Generally, open security boundaries Development practice Oddly, the office of no (The intern or the coffee-soaked, sleepy admin)
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: Convenience for QA Security IN the cloud
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Username: qa_test_xxx@xxx Password: azerty13 2FA-code Security IN the cloud Example: Convenience for QA
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Username: qa_test_xxx@xxx Password: azerty13 2FA-code: Security IN the cloud Example: Convenience for QA
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Username: qa_test_xxx@xxx Password: azerty13 2FA-code: Security IN the cloud Example: Convenience for QA
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Theexternal threats • Cybercriminals are becoming more agile in their development process • Shorter vulnerability lifespan—from detection to weaponization • Criminals will take only a day or hours to implement attacks against the latest vulnerabilities • 4-minute breach after credentials to GitHub • Cloud-based cybercriminals
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Theexternal threats • Cybercriminals are becoming more agile in their development process • Shorter vulnerability lifespan—from detection to weaponization • Criminals will take only a day or hours to implement attacks against the latest vulnerabilities • 4-minute breach after credentials to GitHub • Cloud-based cybercriminals
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Theexternal threats • Cybercriminals are becoming more agile in their development process • Shorter vulnerability lifespan—from detection to weaponization • Criminals will take only a day or hours to implement attacks against the latest vulnerabilities • 4-minute breach after credentials to GitHub • Cloud-based cybercriminals
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The external threats • Cybercriminals are becoming more agile in their development process • They are business people, just nefariously so • This means • Shorter vulnerability lifespan—from detection to weaponization • Criminals will take only a day or hours to implement attacks against the latest vulnerabilities • Four-minute breach after credentials to GitHub • Cloud-based cybercriminals
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. So where is the impact? The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148 This number is repeated by a number of websites, reports, etc.
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. So where is the impact? “Activity-based costing (ABC) is a costing method that identifies activities in an organization and assigns the cost of each activity to all products and services according to the actual consumption by each. This model assigns more indirect costs (overhead) into direct costs compared to conventional costing.” https://en.wikipedia.org/wiki/Activity-based_costing Direct cost: The direct expense outlay to accomplish a given activity Indirect cost: The amount of time, effort, and other organizational resources allocated to data breach resolution, but not as a direct cash outlay Opportunity cost: The cost resulting from lost business opportunities as a consequence of negative rep
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. So where is the impact? While we can view the cost per record stolen, the larger cost is the amount of time that the enterprise needs to spend in order to deal with a breach This can often lead to months of project work, stopping new products and features, causing a long-term type of pain for enterprises There are no stats for this cost as there is no way to collect the data, verify it, or compare it between companies
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How do we correct it? If the true loss is not just monetary, but is forward momentum of enterprise, how do we fix it? Back to the basics, with a new focus • Architectural security • Planning for failure • Plan for data privacy • Plan for the audit
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Your security team is your last line of defense Why start and stop there?
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Isthisan example ofarchitectural security? Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Security groups Route table NACLs Internet gateway Instances Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organization s AWSKMS AWS Directory Service
  43. 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Isthisan example ofarchitectural security?
  44. 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What isDevSecOps? DevSecOps is the combination of cultural philosophies, practices, and tools that exploits the advances made in IT automation to achieve a state of production immutability, frequent delivery of business value, and automated enforcement of security policy DevSecOps is achieved by integrating and automating the enforcement of preventive, detective, and responsive security controls into the pipeline Security OperationsDevelopment
  45. 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps Business Development Operations Build it faster Keep it stable Security Make it secure
  46. 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps Operations Security Development The business
  47. 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  48. 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Problem description CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in Amazon GuardDuty. This means that we have an account or machine that has been compromised. John, our lead developer, added his AWS key and secret key to his most recent Git post. This was found by someone and then sold to a cryptomining company in another country. We had bad threat detection, and the account was used for a couple of days before we found out. -or- John had his laptop stolen and didn’t encrypt his hard drive. Because he kept everything in his local Git Repo, his user was compromised. Postmortem Use good development practices. Adding static variables that contain access keys to a Git causes long-term issues for a cloud account. - Use Git-secrets - Attend a workshop at re:invent discussing the use of open-source development tools. - Limit blast radius - Enjoy one of the multi-account sessions at re:Invent. The loss of corporate resources that were unencrypted. - Encrypt hard drives going forward. - Limit account activities of humans for threat detection. - Limit account access of people in production and test environments. Aws_labs repos https://github.com/awslabs RCA: CryptoCurrency:EC2/BitcoinTool.B!DNS
  49. 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Accidental exposure of host access credentials Objective: Test response in determining if customer data was exposed and the actions taken to rotate access keys Imagine developer committed SSH private key to GitHub What was changed? How? When was the issue contained? Security incident -> RCA -> SIRS Possible game 1: "CryptoCurrency:EC2/BitcoinTool.B!DNS"
  50. 50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  51. 51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Simulatelike your business depends on it Build teams with developers, security, and management (and HR and legal) Compete with the other parts of your organization Compete with a red team Compete with other companies
  52. 52. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Compete like your business depends on it • Requirements • Rules of engagement • Rules for scoring • Do not use production or production data • Do not be afraid to lose; that is how we learn • Engage outside red teams to teach your developers how to think • Be devious
  53. 53. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  54. 54. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Your security teams are your last line of defense Don’t do this
  55. 55. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet Security groups Route table If your security teams are your last line of defense, your developers are your first If you plan for an incident, when you have an incident, you will not be surprised This includes data leaks GitHub posts The next thing Build security champions
  56. 56. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  57. 57. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Your security team employees are your last line of defense How does Amazon do it? Cultural focus on customer obsession that focuses on security (Job 0) What does that mean? • What is a Severity 2 trouble ticket? • Why is the security leadership okay with being called accidentally?
  58. 58. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Your security team employees are your last line of defense Bug bounties/internal gamification No more security team! Well, not so much They enhance your testing, not replace it Beware of exposing your known weak points Breaches You have to do your own testing and development process (you have to actually FIX the bug, or you will pay for it again)
  59. 59. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Bug bounties? The good things Aligning hackers from a young age into the legal way of helping Put pressure on your regular security processes Aligns nicely with DevSecOps and automation The bad things Worthless without proper processes Regression testing? Again, it’s not a replacement
  60. 60. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  61. 61. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. People are more security-aware than ever before • We see more vulnerabilities than we ever did before • Teams are focusing on diversity and changing the way we think • We have more security tools than ever • Artificial intelligence and machine learning are changing the landscape • Whaling still works • People are bound to do the easy thing • Businesses focus on the short-term money, not the long-term cost • Humans are prideful And I still cannot update human firmware But
  62. 62. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The issues are not with the products • The future of security is not based in a cool new product • Privacy, which is part of security, should drive the decisions that you make from the start • Adding a firewall is only adding security on one layer and will only provide limited help • While humans are the issue, we can also be the solution • Security teams can be the grease to get things done quickly if they are added in the beginning • Use the teams you have, grow them, and train them to be the best that they can be But
  63. 63. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Nathan Case Twitter: NathanC54227646 LinkedIn: nathancase Frans Rosén Twitter: fransrosen LinkedIn: fransrosen

×